b'          U.S. Department of Energy\n          Office of Inspector General\n          Office of Audits and Inspections\n\n\n\n\nInspection Report\n\nProperty Accountability and Protection\nof Federal Sensitive Unclassified\nInformation Under the Cooperative\nAgreement with the Incorporated\nCounty of Los Alamos\n\n\n\nDOE/IG-0859                        February 2012\n                      8\n\x0c                                 Department of Energy\n                                    Washington, DC 20585\n\n                                        February 17, 2012\n\n\nMEMORANDUM FOR THE SECRETARY\n\n\nFROM                     Gregory H. Friedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Inspection Report on "Property Accountability and\n                         Protection of Federal Sensitive Unclassified Information Under the\n                         Cooperative Agreement with the Incorporated County of Los Alamos"\n\nBACKGROUND\n\nOn September 30, 2008, the National Nuclear Security Administration entered into a 5-year\nCooperative Agreement with the County of Los Alamos, New Mexico. The general intent of the\nCooperative Agreement, with a cost per year to the Federal government averaging approximately\n$16 million, was to provide financial support, equipment, services and the use of fire station\nfacilities to the County in return for Los Alamos County Fire Department services. Under the\nCooperative Agreement, the Fire Department was to provide an enhanced level of services to\nsupport the Department of Energy\'s Los Alamos National Laboratory. These services include\nadvanced nuclear grade industrial fire suppression, advanced emergency medical services, rescue\nservices and hazardous materials first responder operational services. The Cooperative\nAgreement contains provisions for the management of Federally-owned personal property\nprovided to the Fire Department by NNSA. The Business Services Division of the NNSA\nAlbuquerque Complex in Albuquerque, New Mexico, has contracting oversight of the\nCooperative Agreement, while the Los Alamos Site Office is responsible for day-to-day\nadministration.\n\nIn December 2010, the Office of Inspector General received a complaint alleging that Federal\ngovernment property, including computers, was missing from the Fire Department. During our\ninitial evaluation of this complaint, we also became aware that Sensitive Unclassified Information\nprovided to the Fire Department by Los Alamos may not have been adequately protected.\nTherefore, we initiated this inspection to determine if Federally-owned personal property under\nthe Cooperative Agreement was adequately managed.\n\nRESULTS OF INSPECTION\n\nWe substantiated the allegation that property, including computers, was missing. Despite\nDepartment of Energy requirements, effective processes and procedures were not in place to\nensure the proper control and accountability of Federally-owned personal property in possession\nof the Fire Department. Specifically, the Fire Department had not:\n\n   \xe2\x80\xa2   Reported lost or stolen items to Los Alamos, as required. A 2010 inventory revealed that,\n       among other property, 9 computers, 4 cameras, a video projector and 40 radios were\n\x0c                                                2\n\n\n       missing. However, the items missing were never reported nor were the losses ever\n       investigated. Also, actions were not taken to determine financial responsibility for the\n       missing property;\n\n   \xe2\x80\xa2   Maintained an up-to-date listing of all Federally-owned personal property in the custody\n       of the County; and,\n\n   \xe2\x80\xa2   Always properly identified Federally-owned personal property at the time of acquisition\n       or ensured the proper disposal of excess property.\n\nThese problems occurred, in part, because the Los Alamos Site Office did not ensure that the\nproperty management provisions, which were part of the Cooperative Agreement, had been\neffectively implemented. In addition, the County did not manage its Federally-owned personal\nproperty in a manner consistent with the requirements of the Cooperative Agreement. Notably,\nthe Fire Department did not always implement County directives designed to ensure the proper\ncontrol and accountability of Federally-owned personal property in its possession. As a\nconsequence of this environment, Federally-owned personal property was not adequately\nsafeguarded against misuse, theft or misappropriation.\n\nDuring the course of our inspection, concerns were raised that Sensitive Unclassified\nInformation provided to the Fire Department by the Site Office may not have been adequately\nprotected. We added this issue to the scope of our review. We found that the Fire Department\nmay not have adequately protected Sensitive Unclassified Information in its possession. Federal\nofficials were aware of cyber security weaknesses related to the protection of Sensitive\nUnclassified Information provided to the County. However, in spite of specific suggestions to do\nso, the Site Office did not require the Fire Department to strengthen protective measures.\n\nThis issue notwithstanding, we could not reach a definitive conclusion regarding the overall level\nof protection for Sensitive Unclassified Information which was in the hands of the Fire\nDepartment. We did note, however, that NNSA had not ensured that all requisite provisions for\ncyber security were incorporated into the Cooperative Agreement. As a consequence, these\nproblems created an environment where Sensitive Unclassified Information provided to the\nCounty may be subject to loss or compromise.\n\nTo address these issues, we made recommendations designed to: 1) help improve the control and\naccountability of Federally-owned personal property in possession of the County; and, 2)\nestablish requirements in the Cooperative Agreement to address the protection of Sensitive\nUnclassified Information.\n\nAlso, during this inspection, we identified other matters (see Appendix 1) relating to the misuse\nof Federally-owned personal property and the resolution of questioned costs. To address these\nissues, we made suggestions to assure the proper use of Federally-owned personal property and\nthe timely resolution of questioned costs.\n\x0c                                               3\n\n\nMANAGEMENT REACTION\n\nManagement generally agreed with the intent of the report findings and recommendations.\nManagement stated that NNSA will start negotiations to amend the Cooperative Agreement to\nensure that the recommendations are implemented. However, management asserted that NNSA\ndid not have the specific authority to direct or enforce compliance with the provisions in the\nCooperative Agreement and requested that we delete or rewrite certain recommendations to\nreflect the potentially limited authorities inherent in this type of agreement.\n\nContrary to management\'s assertion, Title 2, Code of Federal Regulations, Grants and\nAgreements, provides the authority for NNSA to enforce this type of agreement with specific\nremedies for noncompliance. Nevertheless, where appropriate, we modified several\nrecommendations to address management\'s comments. Management\'s comments and our\nresponse are summarized and more fully discussed in the body of the report. Management\'s\nformal comments are included in their entirety in Appendix 3.\n\n\nAttachment\n\ncc:   Deputy Secretary\n      Associate Deputy Secretary\n      Administrator, National Nuclear Security Administration\n      Chief of Staff\n\x0cREPORT ON PROPERTY ACCOUNTABILITY AND PROTECTION OF\nFEDERAL SENSITIVE UNCLASSIFIED INFORMATION UNDER THE\nCOOPERATIVE AGREEMENT WITH THE INCORPORATED COUNTY\nOF LOS ALAMOS\n\n\nTABLE OF\nCONTENTS\n\n\nManagement of Federally-Owned Personal Property and Protection of Federal Sensitive\nUnclassified Information________________________________________________________\n\nDetails of Finding                                                                                                                        1\n\nRecommendations                                                                                                                           8\n\nManagement Comments                                                                                                                       9\n\nInspector Comments                                                                                                                        10\n\n\nAppendices\n\n1. Other Matters/Suggested Actions                                                                                                        11\n\n2. Objective, Scope and Methodology ...................................................................................                   14\n\n3. Management Comments ....................................................................................................               16\n\n4. Prior Reports ......................................................................................................................   18\n\x0cPROPERTY ACCOUNTABILITY AND PROTECTION OF FEDERAL\nSENSITIVE UNCLASSIFIED INFORMATION UNDER THE\nCOOPERATIVE AGREEMENT WITH THE INCORPORATED COUNTY\nOF LOS ALAMOS\n\nMANAGEMENT OF     We substantiated the allegation that property, including computers,\nFEDERALLY-OWNED   was missing. Despite Department of Energy (Department or\nPERSONAL          DOE) requirements, effective processes and procedures were not\nPROPERTY          in place to ensure the proper control and accountability of\n                  Federally-owned personal property in possession of the County of\n                  Los Alamos Fire Department (Fire Department). The Cooperative\n                  Agreement stated that Federally-owned personal property shall be\n                  managed in accordance with Title 10, Code of Federal Regulations\n                  (CFR). Part 600.232 of the CFR, Financial Assistance Rules,\n                  Equipment, requires that, in the event a grantee is provided\n                  Federally-owned equipment, the grantee is to manage the\n                  equipment in accordance with Federal agency rules and\n                  procedures. In this case, the applicable Federal agency rules and\n                  procedures are found in DOE Order 580.1, Department of Energy\n                  Personal Property Management Program. Specifically, the Fire\n                  Department had not:\n\n                       \xe2\x80\xa2   Reported lost or stolen items to Los Alamos National\n                           Laboratory (Los Alamos), as required. A 2010 inventory\n                           revealed that, among other property, 9 computers, 4\n                           cameras, a video projector and 40 radios were missing.\n                           However, the items missing were never reported nor were\n                           the losses ever investigated. Also, actions were not taken\n                           to determine financial responsibility for the missing\n                           property;\n\n                       \xe2\x80\xa2   Maintained an up-to-date listing of all Federally-owned\n                           personal property in the custody of the Incorporated\n                           County of Los Alamos (County); and,\n\n                       \xe2\x80\xa2   Always properly identified Federally-owned personal\n                           property at the time of acquisition or ensured the proper\n                           disposal of excess property.\n\nReporting Lost    The Fire Department had not reported lost or stolen items to Los\nor Stolen Items   Alamos, as required. During the 2010 inventory of Federally-\n                  owned personal property in its possession, the Fire Department\n                  could not account for 60 of the 566 items inventoried, including\n                  9 computers, 4 cameras, a video projector and 40 radios. As\n                  outlined in the terms and conditions of the Cooperative Agreement\n                  through Title 10, CFR, Part 600.232, the County is required to\n                  follow DOE Order 580.1. DOE Order 580.1 requires, among other\n                  things: establishing responsibility for determining possible\n\n\nPage 1                                                            Details of Finding\n\x0c                    financial liability; and reporting, documenting and investigating all\n                    instances of lost, damaged and destroyed personal property. Under\n                    the Cooperative Agreement, the Fire Department is required to\n                    coordinate with the Los Alamos Property Administrator within\n                    48 hours after discovering that Federally-owned personal property\n                    is lost, stolen or damaged.\n\n                    Consistent with DOE Order 580.1 and the Cooperative Agreement,\n                    the County developed a Fire Chief Directive on Lost, Stolen, or\n                    Damaged Personal Government Owned Property. This Directive\n                    required that the property user, as soon as possible, but no later\n                    than 24 hours after discovering a loss, theft or damage to property,\n                    prepare a Lost, Stolen, or Damaged Property (LSDP) form. This\n                    form was intended to report the date and circumstances\n                    surrounding an incident of lost, stolen or damaged property, and\n                    provide a summary of the supervisor\'s investigation and\n                    recommendation for appropriate action. However, when we\n                    requested copies of LSDP forms, a Fire Department official told us\n                    that no forms had been prepared. As a result, the Fire Department\n                    could not substantiate, and we could not independently determine,\n                    that the required investigation was conducted or documented to\n                    determine the disposition of the "unaccounted for" items, or that\n                    liability was established.\n\n                    Our finding was consistent with a National Nuclear Security\n                    Administration (NNSA) validation review of the 2010 inventory of\n                    Federally-owned personal property maintained by the Fire\n                    Department. In the validation report, NNSA stated that the Fire\n                    Department should comply with the provisions of Appendix D to\n                    the Cooperative Agreement, Personal Property Management Plan\n                    for Federally-Owned Personal Property, in reporting "unlocated"\n                    items. NNSA further stated that the Fire Department\'s Property\n                    Management Plan (Plan) warrants revision as it does not discuss\n                    several aspects of a valid Plan. Also, the validation report\n                    concluded that the Fire Department\'s property accountability rate\n                    (by value) is 94.1 percent, and was "far below acceptable Federal\n                    government standards."\n\nListing of          The Fire Department had not maintained a complete and up-to-date\nFederally-Owned     listing of all Federally-owned personal property in the custody of\nPersonal Property   the County. DOE Order 580.1 requires that entities with property\n                    management responsibilities establish and maintain individual\n                    property control records. Under the Cooperative Agreement, the\n                    Fire Department was required to provide information to Los\n                    Alamos on its Federally-owned personal property and Los Alamos\n                    was required to establish and maintain inventory records\n\n\n\nPage 2                                                               Details of Finding\n\x0c                     using the Los Alamos property management database. However,\n                     the intent of DOE Order 580.1 for establishing and maintaining\n                     property control records was not met. Also, we were not able to\n                     obtain a complete and up-to-date listing of all Federally-owned\n                     personal property in the custody of the County.\n\n                     Specifically, the Cooperative Agreement defines Federally-owned\n                     personal property as Federally-owned vehicles and equipment\n                     identified in Appendix B, Listing of Federally-Owned Vehicles and\n                     Equipment. However, we determined that a large number of items\n                     were missing from Appendix B. The initial Appendix included in\n                     the September 2008 Cooperative Agreement identified 92 property\n                     items. In November 2009, the Appendix was updated for the only\n                     time to include 459 property items. Conversely, the 2010\n                     inventory of the Fire Department contained 566 property items\n                     based on information identified in a Los Alamos property database.\n                     A comparison of the information contained in the property\n                     database with the information contained in Appendix B revealed\n                     138 items that were not listed in the Appendix and 31 items listed\n                     in the Appendix that were not listed in the property database.\n\nIdentification and   Contrary to the Cooperative Agreement, we found that the Fire\nDisposal of Excess   Department had not always properly identified Federally-owned\nFederally-Owned      personal property at the time of acquisition and had not ensured the\nPersonal Property    proper disposal of excess property. The Cooperative Agreement\n                     required the Fire Department to notify NNSA through the Los\n                     Alamos Property Administrator when Federally-owned personal\n                     property was received and excessed.\n\n                              Identification of Federally-Owned Personal Property\n\n                     The Fire Department had not implemented processes to ensure that\n                     all personal property acquired using Federal funds was properly\n                     identified. The Cooperative Agreement required the Fire\n                     Department to notify NNSA through the Los Alamos Property\n                     Administrator when Federally-owned personal property was\n                     received. It also required the Fire Department to ensure that\n                     Federally-owned personal property was properly accounted for\n                     from the point of acquisition through disposal. In this regard, the\n                     Fire Department was required to bar code Federally-owned\n                     personal property listed in Appendix B of the Cooperative\n                     Agreement. However, we found examples of Federally-owned\n                     personal property that did not have bar code labels and were not\n                     listed in Appendix B. Specifically, the Appendix listed six\n                     ambulances. Each ambulance should have been equipped with a\n                     gurney, a breathing machine and a defibrillator that were\n\n\n\nPage 3                                                               Details of Finding\n\x0c         appropriately marked as Federally-owned personal property.\n         However, the Appendix only listed three gurneys, three breathing\n         machines and five defibrillators.\n\n         In addition, when notifying NNSA about the acquisition of\n         Federally-owned personal property, the Fire Department Property\n         Administrator was required to provide Los Alamos the following\n         information: acquisition document number and date; asset type; bar\n         code number (identifier); description; manufacturer; model number;\n         serial number; acquisition value; organization code; and,\n         location. The Fire Department has a Property Data Worksheet that\n         captures the required information that was to be provided to Los\n         Alamos.\n\n         However, we were unable to independently verify the effectiveness\n         of this process. Specifically, the Cooperative Agreement requires\n         the Fire Department to attach "appropriate supporting\n         documentation" with monthly invoices submitted to NNSA for\n         reimbursement of direct costs for items such as equipment,\n         including personal property. These invoices did not always contain\n         appropriate supporting documentation on the purchase of newly\n         acquired Federally-owned personal property. For example,\n         manufacturer, model and serial numbers were sometimes missing\n         from the invoices. Also, the Fire Department used credit cards to\n         acquire property items, but the documentation only identified\n         "VISA" and the dollar amount of the purchase.\n\n                 Disposal of Excess Federally-Owned Personal Property\n\n         The Fire Department had not ensured the proper disposal of excess\n         property. Under the Cooperative Agreement, employees with\n         Federally-owned personal property that needed to be salvaged or\n         destroyed were required to notify the Fire Department Property\n         Administrator. The Fire Department was then required to dispose\n         of excess Federally-owned personal property through Los Alamos\n         excess, disposition, recycle or hazardous waste streams. In\n         addition, the Fire Department Property Administrator was required\n         to complete an Excess/Salvage Equipment Request form to initiate\n         the disposal.\n\n         However, the Fire Department did not provide a comprehensive and\n         accurate record for the disposition of excessed Federally-owned\n         personal property. For example, as previously stated, the nine\n         computers that were "unaccounted for" from the 2010 inventory\n         were not reported as lost or stolen within 48 hours as required by\n         the Cooperative Agreement, thereby indicating that this equipment\n         had been excessed. When we requested copies of the Fire\n\n\nPage 4                                                 Details of Finding\n\x0c                    Department\'s Excess/Salvage Equipment Request forms, the Fire\n                    Department could not provide the forms for the nine computers.\n\n                    In addition, there were inconsistencies between the Fire\n                    Department and Los Alamos concerning the documentation for the\n                    disposal of Federally-owned computers. We requested\n                    documentation on all excessed Federally-owned personal property\n                    since the beginning of the Cooperative Agreement. The combined\n                    records of both the Fire Department and Los Alamos showed a\n                    total of 76 Federally-owned computers excessed. Fire Department\n                    records did not account for 35 of the 76 excessed computers, and\n                    Los Alamos records did not account for 7 of the 76 excessed\n                    computers.\n\nPROTECTION OF       During the course of our inspection, concerns were raised that\nFEDERAL SENSITIVE   Sensitive Unclassified Information provided to the Fire\nUNCLASSIFIED        Department by Los Alamos may not have been adequately\nINFORMATION         protected. We added this issue to the scope of our review. We\n                    found that the Fire Department may not have been adequately\n                    protecting Sensitive Unclassified Information in its possession.\n                    Federal officials were aware of cyber security weaknesses related\n                    to the protection of Sensitive Unclassified Information provided to\n                    the County. However, in spite of specific suggestions to do so, the\n                    Los Alamos Site Office (Site Office) did not require the Fire\n                    Department to strengthen protective measures.\n\n                    The Fire Department was provided Sensitive Unclassified\n                    Information, to include Hazards Analyses and Los Alamos\n                    Complex Response Guides. This information was provided to\n                    assist the Fire Department in protecting Los Alamos in the event of\n                    a fire. The documents provided to the Fire Department were in the\n                    form of electronic media and were marked as either Official Use\n                    Only or Unclassified Controlled Nuclear Information. We were\n                    told that this Sensitive Unclassified Information was also stored on\n                    County servers and that the Fire Department maintained a wireless\n                    network which was used to update information on Federally-\n                    owned laptop computers located in Fire Department vehicles.\n\n                    The County has security measures in place such as log-on\n                    authentication and password protection for computers in its\n                    possession. We were told that the County encrypted data located\n                    on its servers, as well as data transmitted over data lines and a\n                    wireless network. While we did not test the effectiveness of these\n                    security measures, we did find that there were existing concerns\n                    about whether Sensitive Unclassified Information in possession\n\n\n\n\nPage 5                                                              Details of Finding\n\x0c         of the Fire Department was adequately protected. Specifically,\n         concerns over the protection of Sensitive Unclassified Information\n         by the County surfaced in a 2009 review conducted by a Los\n         Alamos Security Inquiry Team. This review was initiated after a\n         Site Office official conducted a walk-through at a County fire\n         station and found Unclassified Controlled Nuclear Information\n         unprotected in an open area.\n\n         In a December 2009 report titled Providing Sensitive Unclassified\n         Information (SUI) to Los Alamos Fire Department (LAFD), the\n         Inquiry Team reported that the County\'s Wireless Encrypted\n         Protection system was the common standard at the time the routers\n         were purchased more than 5 years prior to the review. The Inquiry\n         Team reported that this was an old technology and that the\n         encryption algorithm had made its compromise possible for a\n         knowledgeable adversary "for some time." The Inquiry Team also\n         reported that there was a desire on the part of County\n         Administration to dispense with the County\'s policy for encrypting\n         laptops on emergency vehicles which contained Sensitive\n         Unclassified Information. The Inquiry Team cautioned that using\n         unencrypted laptops would not assure Los Alamos\' sensitive\n         information is properly protected.\n\n         While the Inquiry Team found that it was unlikely there had been\n         an unauthorized release of Sensitive Unclassified Information, a\n         number of suggestions were made to the Site Office for actions\n         that the Fire Department could take to preclude the unauthorized\n         release of sensitive information. These suggestions included\n         updating encryption protocol for wireless routers and additional\n         cyber security training for Fire Department employees. However,\n         through interviews with Site Office and Fire Department officials,\n         we determined that the Site Office had not required the Fire\n         Department to implement the suggested changes.\n\n         We also found that the Cooperative Agreement was silent on the\n         protection of Sensitive Unclassified Information. NNSA has\n         developed policy to address the protection of this type of\n         information. NNSA Policy Letter 14.1-C (NAP 14.1-C), Baseline\n         Cyber Security Program, dated May 2, 2008, required that\n         responsibilities be assigned for protecting information on\n         information systems for the purpose of maintaining National\n         Security and ensuring the continuity of NNSA operations. This\n         NAP 14.1-C addressed areas such as: cyber security plans;\n         incident and vulnerability management; password generation and\n         protection; wireless technologies; and, remote accessing. In\n         conjunction with NAP 14.1-C, NNSA also developed NAP 14.2-C,\n         NNSA Certification and Accreditation (C&A) Process for\n\n\nPage 6                                                   Details of Finding\n\x0c               Information Systems, which further detailed NNSA\'s cyber security\n               requirements. However, none of the provisions of these policies\n               were incorporated into the Cooperative Agreement.\n\n               Given the issues reported by the Inquiry Team and the lack of\n               cyber security provisions in the Cooperative Agreement,\n               appropriate cyber security requirements should be incorporated\n               into the Cooperative Agreement so that NNSA\'s requirements for\n               the protection of Sensitive Unclassified Information are clear and\n               that County security measures are consistent with those\n               requirements.\n\nCONTRIBUTING   The problems discussed in this report occurred, in part, because\nFACTORS AND    NNSA did not ensure that the property management provisions,\nIMPACT         which were part of the Cooperative Agreement, had been\n               effectively implemented. Although DOE Order 580.1 applied to\n               the Fire Department\'s management of Federally-owned personal\n               property, NNSA did not include specific reference to DOE Order\n               580.1 in the Cooperative Agreement. Instead, NNSA incorporated\n               Appendix D, Personal Property Management Plan for Federally-\n               Owned Personal Property, into the Cooperative Agreement. The\n               Plan, as written, did not rise to the level of the requirements\n               contained in DOE Order 580.1. According to the author of the\n               Plan, the language in Appendix D was meant to be a "guide."\n               Unfortunately, the intention that the County was to expand on the\n               "guide" was never realized. In addition, there was no specific\n               requirement to update Appendix B of the Cooperative Agreement\n               on a routine basis as new Federally-owned personal property was\n               acquired and as property was excessed, further resulting in a lack\n               of proper accountability.\n\n               In addition, the County did not manage its Federally-owned personal\n               property in a manner consistent with the requirements of the\n               Cooperative Agreement. Further, the Fire Department did not always\n               implement County directives to ensure the proper control and\n               accountability of Federally-owned personal property in its possession.\n               As discussed in this report, there was no evidence that the provisions\n               of the County Fire Chief Directive on Lost, Stolen, or Damaged\n               Personal Government Owned Property had ever been implemented,\n               even though the results of the 2010 inventory showed that more than\n               10 percent of the inventoried items could not be located. In addition,\n               we could not independently verify the effectiveness of the Fire\n               Department\'s process for notifying NNSA about the acquisition of\n               Federally-owned personal property, to include the use of the Property\n               Data Worksheet. Also, there was no evidence that the Fire\n               Department\'s use of the Excess/Salvage Equipment Request form\n\n\n\nPage 7                                                         Details of Finding\n\x0c                  provided a comprehensive and accurate record for the disposition of\n                  all excessed Federally-owned personal property.\n\n                  Finally, NNSA did not ensure that all requisite provisions for cyber\n                  security were incorporated into the Cooperative Agreement.\n                  Specifically, the Business Services Division, NNSA Albuquerque\n                  Complex, did not incorporate most of the NNSA Policy Letter\n                  provisions into the Cooperative Agreement or require the Fire\n                  Department to adhere to any of NNSA\'s cyber security requirements.\n                  Instead, existing County security measures were relied upon, even\n                  though concerns about the ability of those measures to preclude the\n                  potential for unauthorized release of Sensitive Unclassified\n                  Information had been identified.\n\n                  As a consequence, these problems created an environment where\n                  Federally-owned personal property could be subject to misuse,\n                  theft or misappropriation. Specifically, we could not determine,\n                  with any certainty, that all Federally-owned personal property was\n                  identified, marked, inventoried and disposed of in a manner\n                  consistent with DOE Order 580.1. In addition, these problems\n                  created an environment where Sensitive Unclassified Information\n                  provided to the County could potentially be subject to loss or\n                  compromise. Specifically, we could not reach a definitive\n                  conclusion regarding the overall level of protection provided to the\n                  Sensitive Unclassified Information which was in the hands of the\n                  Fire Department.\n\nRECOMMENDATIONS   We recommend that the Contracting Officer, Business Services\n                  Division:\n\n                     1. Incorporate appropriate provisions of DOE Order 580.1,\n                        Department of Energy Personal Property Management\n                        Program, into the Cooperative Agreement;\n\n                     2. Ensure that the Fire Department\'s Property Management\n                        Plan is revised as necessary, consistent with the\n                        conclusions of NNSA\'s 2010 inventory validation review;\n\n                     3. Ensure that Appendix B of the Cooperative Agreement is\n                        updated on a routine basis as Federally-owned personal\n                        property is acquired and excessed; and,\n\n                     4. Incorporate appropriate cyber security requirements into\n                        the Cooperative Agreement so that NNSA requirements for\n                        the protection of Sensitive Unclassified Information are\n                        clear and that County security measures are consistent with\n                        those requirements.\n\n\nPage 8                                                          Recommendations\n\x0c             We also recommend that the Manager, Los Alamos Site Office,\n             ensure that:\n\n                5. The Fire Department reports lost or stolen items as required\n                   by DOE Order 580.1 and the Cooperative Agreement;\n\n                6. All personal property acquired by the County using Federal\n                   funds is accounted for in a manner consistent with the\n                   Cooperative Agreement; and,\n\n                7. All excess Federally-owned personal property in possession\n                   of the County is disposed of in a manner consistent with the\n                   Cooperative Agreement.\n\nMANAGEMENT   NNSA management agreed with the intent of the report findings\nCOMMENTS     and recommendations directed to the Contracting Officer, Business\n             Services Division. Management stated that NNSA will start\n             negotiations to amend the Cooperative Agreement to ensure that\n             the actions under Recommendations 1 through 4 are implemented.\n\n             However, management said that Recommendations 5 through 8\n             directed to the Manager, Los Alamos Site Office, were not\n             consistent with the Site Office\'s administrative authorities under\n             the Cooperative Agreement. Management further stated that,\n             while the County has agreed to the inclusion of several operational\n             and administrative provisions in the Cooperative Agreement,\n             NNSA does not have any specific authority to direct or enforce\n             compliance with those provisions. Management stated that it\n             remains in the Government\'s best interest to try to resolve or\n             mitigate these issues. Therefore, the Site Office is actively seeking\n             appropriate modifications to the Cooperative Agreement to\n             establish appropriate compliance with Department requirements.\n             In addition, management stated that, in the interim, NNSA will\n             continue working with County leadership to encourage voluntary\n             compliance.\n\n             Management cited a "just executed key modification" to the\n             Cooperative Agreement on December 16, 2011, that addressed\n             several of the issues raised in the report. Management stated that it\n             anticipated that NNSA and the Site Office will complete several\n             additional Cooperative Agreement modifications in the coming\n             months that will fully address the identified concerns.\n\n             Management requested that we delete or rewrite Recommendations\n             5 through 8 to reflect the potentially limited authorities inherent in\n             this type of agreement.\n\n\n\nPage 9                                               Management Comments\n\x0c            Management comments have been provided in their entirety in\n            Appendix 3.\n\nINSPECTOR   Management comments are generally responsive to our report\nCOMMENTS    findings and recommendations. However, we do note that\n            Title 2, Code of Federal Regulations, Grants and Agreements,\n            provides the authority to enforce this type of agreement with\n            specific remedies for noncompliance. In addition, the modification\n            to the Cooperative Agreement on December 16, 2011, did not\n            address the issues raised in the report. In order to clarify\n            management\'s position, we discussed these issues with NNSA\n            subsequent to receiving comments on the report. We were told\n            that management plans on issuing five modifications in the near\n            future that will include the necessary language to provide NNSA\n            with the authority to enforce the provisions of the Cooperative\n            Agreement. We believe these actions will meet the intent of our\n            recommendations if the modifications are issued with additional\n            language to strengthen NNSA\'s authority to enforce compliance;\n            and if, in the interim, NNSA works with County leadership to\n            encourage voluntary compliance.\n\n            With regard to NNSA\'s request to delete or rewrite\n            Recommendations 5 through 8, we deleted former\n            Recommendation 5 because Recommendation 1, if properly\n            implemented, should address the Recommendation\'s intent. We\n            also modified former Recommendations 7 and 8 to address\n            NNSA\'s comment. Recommendation 6 remains intact.\n\n\n\n\nPage 10                                                Inspector Comments\n\x0cAppendix 1\n\n                                          OTHER MATTERS\n\nSexually Oriented   During the examination of three hard drives that were turned in by\nImages              the Los Alamos County Fire Department (Fire Department) for\n                    disposal, we found a number of sexually oriented images. Under\n                    Department of Energy (DOE) Order 203.1, Limited Personal Use of\n                    Government Office Equipment Including Information Technology,\n                    examples of misuse of Government resources include "creating,\n                    downloading, viewing, storing, copying or transmitting sexually\n                    explicit or sexually oriented materials." However, the Cooperative\n                    Agreement only required Fire Department employees to "ensure the\n                    safe and appropriate use and safeguarding of Federally-owned\n                    personal property," and stated that Federally-owned personal\n                    property could only be used when performing official Government\n                    work or for incidental personal, professional or community use. The\n                    Cooperative Agreement did not identify the creating, downloading,\n                    viewing, storing, copying or transmitting of sexually explicit or\n                    sexually oriented materials as a specific misuse of the Federally-\n                    owned personal property provided to the Fire Department.\n\nQuestioned Costs    The Cooperative Agreement provides for sharing costs between the\n                    National Nuclear Security Administration (NNSA) and the\n                    Incorporated County of Los Alamos (County). NNSA\'s share of\n                    the costs is approximately $80.1 million and the County\'s share is\n                    approximately $19.8 million. The Business Services Division,\n                    NNSA Albuquerque Complex, questioned certain costs incurred by\n                    the County for the first two years of the Cooperative Agreement\n                    (October 2008 through September 2010). Specifically, the County\n                    reported $35.9 million of total costs incurred by the Fire\n                    Department, of which $28.8 million was billed to NNSA for\n                    reimbursement under the Cooperative Agreement. The Business\n                    Services Division reviewed the monthly invoices to determine\n                    whether the costs were allowable, reasonable and allocable to the\n                    Cooperative Agreement. The Business Services Division\n                    questioned costs totaling $621,613, as shown in the Table below:\n\n                                            Total Questioned Costs\n\n                           Fiscal                      Invoiced      Questioned\n                           Year      Total Costs       Amount          Costs\n\n                           2009      $17,514,961     $13,978,318       $82,890\n\n                           2010      $18,343,933     $14,853,241      $538,723\n\n                           Total     $35,858,894     $28,831,559      $621,613\n\n\n\nPage 11                                                               Other Matters\n\x0cAppendix 1 (continued)\n\n                          The bulk of the costs questioned by the Business Services Division\n                          in Fiscal Year (FY) 2009 related to the September 2009 invoice in\n                          which the County billed NNSA for $1,312,186 (of the $13,978,318\n                          for the year). The Business Services Division questioned $60,762\n                          (of the $82,890 in questioned costs) for the purchase of radios.\n                          The County\'s explanation to NNSA was that the purchase of 19\n                          two-way radios was necessary for the Fire Department\'s\n                          communication systems. These radios were provided to new\n                          cadets and purchased to replace old radios. Each year the Fire\n                          Department seeks to replace approximately one-third of its radios,\n                          as each radio has a useful life of approximately 3 years.\n\n                          The bulk of questioned costs identified by the Business Services\n                          Division in FY 2010 related to the October 2009 invoice in which\n                          the County billed NNSA for $1,542,825 (of the $14,853,240 for\n                          the year). With regard to this invoice, the Business Services\n                          Division questioned $378,116 (of the $538,723 in total questioned\n                          costs for FY 2010). For example, the Business Services Division\n                          questioned about $180,000 related to medical equipment and about\n                          $78,000 related to emergency dispatch communications\n                          equipment. We determined that the Business Services Division\n                          questioned the equipment purchases because the amount did not\n                          appear reasonable. The County subsequently provided detailed\n                          information regarding the use of the equipment by the Fire\n                          Department. The Business Services Division also questioned\n                          $45,631 related to payroll for firefighters whose badges had been\n                          suspended, and, therefore, were unable to fight fires within\n                          restricted areas of the Los Alamos National Laboratory as required\n                          by the Cooperative Agreement. At the time of our inspection,\n                          NNSA and the County had not resolved the $621,613 in\n                          questioned costs.\n\n                          It should be noted that, in addition to the $621,613 in questioned\n                          costs discussed above, NNSA also withheld 20 percent of costs\n                          claimed on monthly billings during FY 2010, making the total\n                          amount of unresolved questioned costs $2.3 million.\n\nSUGGESTED ACTIONS With regard to the issue of sexually oriented images on Federally-\n                  owned computers, we suggest that the Contracting Officer,\n                  Business Services Division:\n\n                             1. Ensure that the provisions of DOE Order 203.1 are\n                                incorporated into the Cooperative Agreement to provide\n                                specific information on the misuse of Government\n                                resources.\n\n\n\n\nPage 12                                                                       Other Matters\n\x0cAppendix 1 (continued)\n\n                    In addition, given the fact that questioned costs had not been\n                    resolved at the time of our review, we suggest that the Contracting\n                    Officer, Business Services Division:\n\n                         2. Resolve questioned costs with the County in a more\n                            expeditious manner.\n\n\n\n\nPage 13                                                           Suggested Actions\n\x0cAppendix 2\n\nOBJECTIVE     We initiated this inspection to determine if Federally-owned\n              personal property under the Cooperative Agreement was\n              adequately managed. During the course of our inspection,\n              concerns were raised that Sensitive Unclassified Information\n              provided to the Los Alamos County Fire Department by Los\n              Alamos National Laboratory may not have been adequately\n              protected. We added this issue to the scope of our review.\n\nSCOPE         We conducted this inspection from January 2011 through January\n              2012 at the Los Alamos National Laboratory (Los Alamos),\n              Incorporated County of Los Alamos (County) and Los Alamos\n              County Fire Department (Fire Department) in Los Alamos, New\n              Mexico; and the National Nuclear Security Administration\n              (NNSA) Albuquerque Complex in Albuquerque New Mexico.\n\nMETHODOLOGY   To accomplish the inspection objectives, we interviewed officials\n              from Los Alamos, the County, the Department of Energy\n              (Department or DOE) and NNSA. In addition, we reviewed and\n              analyzed the Cooperative Agreement, including modifications, and\n              the following regulations and policies:\n\n                   \xe2\x80\xa2   Title 10, Code of Federal Regulations, Part 600.232,\n                       Department of Energy Financial Assistance Rules,\n                       Equipment;\n\n                   \xe2\x80\xa2   Title 2, Code of Federal Regulations, Grants and\n                       Agreements;\n\n                   \xe2\x80\xa2   DOE Order 203.1, Limited Personal Use of Government\n                       Office Equipment Including Information Technology;\n\n                   \xe2\x80\xa2   DOE Order 580.1, Department of Energy Personal\n                       Property Management Program; and,\n\n                   \xe2\x80\xa2   NNSA Policy Letter 14.1-C, NNSA Baseline Cyber\n                       Security Program.\n\n              We also reviewed:\n\n                   \xe2\x80\xa2   Fire Department Excess/Salvage Equipment Request\n                       forms;\n\n                   \xe2\x80\xa2   Relevant Los Alamos and NNSA Memoranda, and the\n                       Department, NNSA, Los Alamos and Fire Department\n                       electronic mail;\n\n\n\nPage 14                                  Objective, Scope and Methodology\n\x0cAppendix 2 (continued) ______________________________________\n\n                        \xe2\x80\xa2   Los Alamos Fire Chief Directives on: Government\n                            Owned Property Held by Los Alamos County; Lost,\n                            Stolen, or Damaged Personal Government Owned\n                            Property; and, Acknowledgement of Receipt of Goods;\n                            and,\n\n                        \xe2\x80\xa2   Three Federally-owned hard drives utilized by the Fire\n                            Department.\n\n                   This was a joint audit and inspection effort. The audit of incurred\n                   costs was conducted in accordance with generally accepted\n                   Government auditing standards. Also, the inspection on property\n                   management and protection of Sensitive Unclassified Information\n                   was conducted in accordance with the Council of the Inspectors\n                   General on Integrity and Efficiency, Quality Standards for\n                   Inspection and Evaluation, January 2011. Those standards require\n                   that we plan and perform the review to obtain sufficient,\n                   appropriate evidence to provide a reasonable basis for our findings\n                   and conclusions based on our objectives. We believe the evidence\n                   obtained provides a reasonable basis for our findings and\n                   conclusions based on our inspection objectives. The review\n                   included tests of controls and compliance with laws and\n                   regulations to the extent necessary to satisfy the objectives.\n                   Because our review was limited, it would not necessarily have\n                   disclosed all internal control deficiencies that may have existed at\n                   the time of our inspection. In addition, we relied on computer-\n                   processed data to some extent to satisfy our objective related to\n                   property management. We confirmed the validity of such data, as\n                   appropriate, by conducting interviews and reviewing source\n                   documents.\n\n                   The Exit Conference was waived by NNSA.\n\n\n\n\nPage 15                                        Objective, Scope and Methodology\n\x0cAppendix 3\n             MANAGEMENT COMMENTS\n\n\n\n\nPage 16                            Management Comments\n\x0cAppendix 3 (continued)_______________________________________\n\n\n\n\nPage 17                                     Management Comments\n\x0cAppendix 4________________________________________________\n\n                                     PRIOR REPORTS\n\n  \xe2\x80\xa2   Audit Report on The Federal Energy Regulatory Commission\'s Unclassified Cyber\n      Security Program \xe2\x80\x93 2011 (OAS-M-12-01, November 2011). The Federal Information\n      Security Management Act of 2002 (FISMA) established requirements for Federal\n      agencies related to the management and oversight of information security risks and to\n      ensure that information technology resources were adequately protected. As directed by\n      FISMA, the Office of Inspector General (OIG) conducted an independent evaluation of\n      the Federal Energy Regulatory Commission\'s (Commission) unclassified cyber security\n      program to determine whether it adequately protected data and information systems. The\n      Commission had taken actions to improve its cyber security posture and mitigate risks\n      associated with certain issues identified during our Fiscal Year (FY) 2010 evaluation.\n      While these measures are noteworthy, our current evaluation disclosed that additional\n      action is needed to further protect information systems and data. Specifically, we\n      continued to identify weaknesses related to the Commission\'s timely remediation of\n      software vulnerabilities. The problems we identified were due, in part, to less than fully\n      effective implementation of cyber security policies and procedures. In particular,\n      Commission officials informed us that they did not follow their existing Vulnerability\n      Management Program policies due to budget and resource constraints. Although the\n      Commission continued to make progress in improving its cyber security posture,\n      additional actions are needed to further reduce the risk to the agency\'s information\n      systems and data.\n\n  \xe2\x80\xa2   Audit Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2011\n      (DOE/IG-0856, October 2011). FISMA provides direction on the development,\n      implementation and management of an agency-wide information security program to\n      provide protection commensurate with risk for Federal information and systems,\n      including those managed by another agency or contractors. In accordance with FISMA,\n      the OIG conducted its annual independent evaluation to determine whether the\n      Department of Energy\'s (Department) unclassified cyber security program adequately\n      protected its information and systems. Our evaluation disclosed that the Department had\n      taken steps to enhance its unclassified cyber security program, including resolving 11 of\n      35 cyber security weaknesses identified during our FY 2010 evaluation. However,\n      additional action is needed to further strengthen the Department\'s unclassified cyber\n      security program and help address threats to its information and systems. Our evaluation\n      disclosed numerous weaknesses in the areas of access controls, vulnerability management\n      web application integrity, contingency planning, change control management and cyber\n      security training. The weaknesses identified occurred, in part, because Departmental\n      elements had not ensured that cyber security requirements included all necessary\n      elements and were properly implemented. Program elements also did not always utilize\n      effective performance monitoring activities to ensure that appropriate security controls\n      were in place.\n\n\n\n\nPage 18                                                                          Prior Reports\n\x0cAppendix 4 (continued)_______________________________________\n\n  \xe2\x80\xa2   Inspection Report on Fire Suppression and Related Services at Los Alamos National\n      Laboratory (DOE/IG-821, September 2009). The Department\'s Los Alamos National\n      Laboratory (Los Alamos) is a multidisciplinary research institution engaged in strategic\n      science on behalf of national security. Los Alamos operates in "unique" hazard\n      environments, to include special nuclear materials, explosives, and hazardous chemicals,\n      that create special fire suppression and emergency management challenges. To address\n      these challenges, Los Alamos must have a comprehensive approach to the protection of\n      personnel, facilities, physical assets and programmatic activities from fire and related\n      dangers. Information was provided to the OIG that problems existed with regard to fire\n      suppression and related services at Los Alamos. As a result, we initiated an inspection to\n      determine if fire suppression and related services at Los Alamos are assured through\n      contractual arrangements with the Incorporated County of Los Alamos (County). On\n      September 30, 2008, subsequent to the initiation of our inspection, the National Nuclear\n      Security Administration (NNSA) entered into a Cooperative Agreement with the County\n      to provide Los Alamos County Fire Department (Fire Department) and related services to\n      Los Alamos. We concluded that fire suppression and related services had not been\n      assured through contractual arrangements with the County. Specifically, we found that:\n      fire fighters had not been properly trained; required pre-incident plans developed by the\n      Fire Department lacked necessary information; fire fighters did not have necessary\n      knowledge of Los Alamos facilities; and, the Fire Department\'s fire fighting capabilities\n      have not been sufficiently demonstrated through exercises. We concluded that the above\n      conditions were caused by significant problems with the administration of the contracting\n      arrangements by the Department, NNSA, Los Alamos, and the County. We did not find\n      evidence that anyone actively managed the fire suppression services contract for a\n      number of years.\n\n\n\n\nPage 19                                                                          Prior Reports\n\x0c                                                                    IG Report No. DOE/IG-0859\n\n                               CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n    1. What additional background information about the selection, scheduling, scope, or\n       procedures of the audit or inspection would have been helpful to the reader in\n       understanding this report?\n\n    2. What additional information related to findings and recommendations could have been\n       included in the report to assist management in implementing corrective actions?\n\n    3. What format, stylistic, or organizational changes might have made this report\'s overall\n       message clearer to the reader?\n\n    4. What additional actions could the Office of Inspector General have taken on the issues\n       discussed in this report which would have been helpful?\n\n    5. Please include your name and telephone number so that we may contact you should we\n       have any questions about your comments.\n\n\n\nName __________________________________ Date ________________________\n\nTelephone ______________________________ Organization __________________\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                    http://energy.gov/ig\n\n  Your comments would be appreciated and can be provided on the Customer Response Form\n                                 attached to the report.\n\x0c'